 So good morning everyone, hope you're enjoying DEF CON so far Happy to see so many people in the early in the morning on the last day, so hope I won't get you asleep Let's start with it. Okay, so a Bit of introduction I'm the head of the national Polish C-cert so that's computer security incident response team That's my job, but this research is not related to the job in any way So just a disclaimer. That's my research and not necessarily all opinions are shared by my employer My background is a programmer, but I was a long time ago. I Eventually got a degree in social psychology That's not social engineering. That's related, but I don't think they get degrees in give degrees in social engineering yet and I Have 15 years of experience in IT security and I also love everything about you know flying and aviation I almost became air traffic controller training at some moment and I love to learn how system works how systems works, you know, how the everything is going on in the background So also because I Tend to fly a lot of both privately and because of my employer. I enjoy some benefits for frequent fliers and I Have some kind of disregard for frequent fire and Mars. They don't have any real value to me anymore, but I still enjoy the privileges like Lounge access or fast track access. They really save you time and give you some comfort at the airports Except when somebody tries to fix the problem When the problem doesn't really exist So about a year ago my home airport in Warsaw introduced this automatic self-service gates Which were supposed to speed things up? Because instead of you know waving your boarding pass in front of a person have them scanning it you just Use a scanner and the gates let you in The only problem was with the fast track it didn't read my status properly So it would let in all the business cost passengers, but I tend to travel on economy and I only get the fast track access because I have this gold status So it wouldn't read the status properly So I would have to go to the guy anyway show him my boarding pass make him come to the gate scan my boarding pass like two or three times like You know, it's kind of counterproductive like it, you know It's waste about 30 seconds of my precious time and the guy probably has better things to do So like let's see if I can fix things So let's rewind a little bit. What are we talking about as you probably noticed for the past ten years or so You get this little barcode on your boarding pass whether it's mobile. It's on paper. You still get a nice 2d body nice 2d barcode on your boarding pass and That was introduced in 2005 by Ayata, which is international at traffic association if I get it properly resolution number 792 It introduces something called board barcoded boarding pass standard which is adapted by all Airlines airports everybody who deals with boarding passes. They have to obey to that standard and And So you get four different kinds of Barcodes which can be used When you have a paper boarding pass it will it must always be PDF for 17 Which is the nice rectangle one the wide one if it's on mobile. It should be one of the square one So it's QR code, which you probably know about and the Aztec and data matrix, which you have examples of down here So you know I get on on Google Play started looking for Barcode scanners to make my life easier and fairly enough you get like dozens of them So the two in the middle barcode scanner and By Geeks lab and the manatee would become my two favorites But you get a wide choice So a freely available tools you can see what's inside and this is pretty much what the boarding pass boarding pass looks like when it's encoded in BCBP So it's just bunch of characters and sort of by trial and error. I started figuring out like Okay if it doesn't read the My frequent flyer status properly, so probably I need to adjust it a booking class, right? I need to say I mean I'm in business and if that's what it reads and let's see if it will let me in So the other tool I would need would be a boarding pass generator and fairly enough. There's also a bunch of them on Google Play Store and I'm pretty sure on Apple Store as well So like I said first by trial and error. I figured out like this would be the travel class character If you fly a little bit you kind of get used to these letters like M would be for economy or Y would be for for economy C would be for business Things I get things like that And you also can pretty clearly see some things standing out like first name last name Origin airport departure airport. I'm sorry departure airports destination airport flight number so some things you can make up just by looking at the at the clear text characters So let's see if I switch this little character to see and Mysteriously it worked it would let me in So fine. I saved, you know 30 seconds about of my time every time I traveled through the fast track So it's free fast track for all travelers neat, but you know, what else can we get? No, if this is not verified, what else is not verified? What else can I play with? And you know, I started changing different things like you know first name last name Fairly enough. Let's you in So Then I feel like okay, so if there's one thing that can be verified easily It's the booking code, right? Because that can be looked up in the reservation system And maybe that could be matched to your boarding pass and Well, they could at least know whether you're traveling or not whether the reservation is there or not Well, or if somebody, you know, just making up things So let's go ahead and change this And it would also let me in So now I got getting really confused So what we are getting here is now airport access for all pretty much right and Just a bit of explanation that was in Warsaw. I tested it in a number of different airports in the US It would work a bit differently, which I will come back to in a minute But this works in a lot of airports It's not it's not something specific to Warsaw or you know, just one or two airports and we will come back to why that is So it's not just fast-track access. It's you know, airport access for all and Yeah, I felt like notice like millions travelers per day Like how come nobody noticed it that somebody had to spill this out already And yeah, this is not entirely news So back in 2003 Bruce Schnee already noticed when When the concept of print your own boarding pass was introduced even before the barcoded boarding pass was there that you can spoof a boarding pass and With this you could also circumvent the no-fly list checks in the US That was 2003 until 2007 this was not fixed in any way and November 2006 Chris Sokoyan Put up a web page where anybody could produce a fake. I think it was Southwest boarding pass and he got into a lot of trouble for that So he got pretty much FBA rated his home and you know, he got a He got a nice letter from TSA saying like you are violating these and these laws don't do it please There's also Two articles from 2008 and 2011 which were done jointly with Bruce Schneer They also touch a bit on physical security. I totally recommend going and reading them. It's very entertaining and in 2012 a John Butler also wrote an article on how you could possibly Figure out whether you are pre-check eligible or actually make yourself pre-check eligible Most of the technical stuff he got wrong in the article, but anyway, the idea was kind of cool and he you know Made some things right at least so how did the no-fly list bypass work back in 2003? So you would have to buy tickets under a false name Because when you are buying the tickets your name gets you know matched against the no-fly list Then you print your boarding pass at home So this is one point where things get checked. So your name against the no-fly list then you create a copy of the boarding pass and Put your real name on it, which is on the no-fly list, but we'll come to that Then you present the fake boarding pass to the TSA officer along with your ID And the problem here is that TSA officers did not have access to the reservation system So they only validated the boarding pass against your ID So you know it's a fake boarding pass But the name matches with your ID you're good to go and then when you actually bought the plane You discard the fake boarding pass you produce your original boarding pass again Which matches the reservation system? And you can fly So that was in 2003 and like I said it was the same thing described in 2006 and 2007 It cut a bit improved since then and we'll come to that So this is the letter. I don't know if you can see it, but it's It's easy to Google it up. It's the letter that mr. Sokoyan got for revealing this later and making up this Fake boarding pass creator So how does bypassing no-fly list work in 2016 Europe? So basically buy tickets under a false name Then you go to the airport and fly so Not exactly an improvement Why is that first of all? It is just like two impacting factors one is that some airlines are more business-conscious than the other so they actually Will check your ID when you are boarding But again, this is not the airport thing It's the airline thing and why the airlines do it is because of protecting their business. So we just don't Buy cheap tickets and then resell them to somebody else It's only for that reason and it's mostly low-cost airlines which will check your IDs regular and I so most never check your IDs in Europe and ID checks by the at the security Checkpoints have been abandoned like two or three years ago when you are traveling domestically But not only domestically Because of shengen area, which I don't know how many of you are Know what it is But it's like 26 countries in Europe. It's not the same as European Union It's 26 countries in Europe which agreed to like abandoned border checks So you only have increased boarding border checks around the shengen area and a lot of information exchange between the countries on immigration But there's no checks Within the area so you can freely roam, you know, we don't need to follow the border checkpoints You can just hike in the mountains or whatever and when traveling within the shengen zone and it was officially asked to the You know governments, etc. Why there's no ID controls at the airport. It's like There's no reason to do it like security is provided by physical security screening Fair enough Okay, so let's go back a bit Turns out I didn't need to be reverse engineering this boarding pass Format it's you know, it's all public this Ayata resolution is all public you can just go and download it and This is the part which is mandatory for the boarding pass. So it's 60 characters and You get things like first name last name you get the compartment code, which is the the travel class Can anybody spot a problem here? This is all that is mandatory nothing else is mandatory. So I'm gonna help you here This is absolutely no integrity checks and no authentication provided it's just a 60 characters and they're as good as you provide them and Just to be fair This is the full specification and there's a bunch of optional items and One of them in the bottom is the security part Where you can provide something called a they call a certificate Which is basically a digital signature for the boarding pass. So it can be included, but it's optional and We will come back to that so the other way to verify it like I said would be to look up the Booking number in the reservation system So let's see where is this passenger data stored? Where could it be looked up? So basically it's stored in something called computer reservation systems which Store your data in the format of passenger name records which include lots of data including lots of private private data Which is not only your First name and last name address email address, but also things like special requests Which means whether you need special assistance like a wheelchair or something whether you have special dietary requirements Which could tell you like whether you're muslim or Jewish or things like that and Loyalty programs data etc. And also if you provided contacts for your precious ones in case of emergency it would also end up there So this is one of the problems there's a lot of private information which is not You know allowed to be shared between different parties The other problem is there's a lot of computer reservation systems out there It's not like there's a single reservation system for all so it's not to just go and look up the data by the PNR Code and you will pull out whatever you need it you need to know where to look for it And there are a number of global distribution systems Which are like huge CRS's? Used by multiple airlines most famous ones are like Saber and Amadou's and Galileo and the world's fun But there's also a lot of proprietary ones which are used by small airlines. They don't pay the fees to Big systems. They just run their own and as long as it works for them It's fine You know basically the only place where you need to look up this information Is where you check when you buy your tickets when you check in and when you're boarding the plane So normally airports don't have access to this data Also to make things more confusing and complicated when you make single reservation It may end up with bits of information scattered around different reservation systems So when I made when I made the reservation for my flight here I had a couple of flights code shared with Polish airlines You know that the reservation was with United Which is using a different reservation system than a lot Polish allies So at least two reservation systems would be involved and if I was making that reservation through a travel agency Which is using a third reservation system that would be at least three PNRs in three reservation systems and you know, that's kind of confusing and Data access is not only limited across You know different reservation systems, but that's everybody like I said because of privacy reasons has access to To the same pieces of information in the in the system And yeah notice of advice The barcode Will usually have more information that is just in clear print and if you use that information You can access the reservation You can access a lot of this private data online and you can even make some changes like cancelling tickets or modifying your itinerary So just don't post anything Without making sure it's anonymized or blurt or something And this is one of the examples which is kind of ridiculous because like I said everybody can go if you know which Which CSR system is used by the airline everybody can go to the website if you have this piano look locator Which is also known as booking code or reference reservation number You put it in and then you put the passengers name in and you get most of this data At least you can see whether the reservation is there or not, but airports are not allowed to do so and From the reservation system the data is Then moved into a couple of other systems One of them would be departure control system, which is basically the system which is used after you check in to make sure That only the checked-in passengers get on board it also stores your seat assignments baggage information, etc There's also thing called API advanced passenger Information not advanced advanced passenger information, which is sent to border agencies of several dozens of countries Which require that so it will let them know who is coming to their country And they can do some pre-screening and tell the airlines like this guy needs some additional security before he boards the plane There's also PNR GOV, which is not exactly another system. It's just a message exchange format To exchange PNR information so the passenger record information with the government agencies. It's not widely used though apart from sending advanced passenger information which again has nothing to do with Looking at the information at the airport is just for the border agencies and there is secure flight program Which while I will describe more in detail in a moment It's okay To make to make things easier for me. I put up a simple web page and I hope I will be Yeah able to show it Now it's all JavaScript. So it works offline and I found a nice JavaScript libraries for producing Aztec codes So PNR doesn't matter as I show you Whatever and there you go and I Wait, wait, wait I forgot to tell you the only thing that actually needs to work is the flight number and the date So the flight number actually gets matched against the list of flights that depart from the airport Yeah, also the departure airport needs to match the departure airport configured with the gate and The date needs too much. It can be also the next day Because you know, sometimes you enter the airport and your flight is early in the morning So it can be the other two. Okay, with paper is just a bit less fun. So like I said, this automatic gates Help things enormously because you don't even have to deal with humans, right? You don't have to produce anything which is even remotely Legitimately looking it's just a barcode But when you need a paper, it's no big deal. You just need to have this paper. So You need to edit the PDF probably and I already have, you know, a couple of templates for for the airlines I use and By the way, Microsoft Word is a great PDF editing tool. Really, you can you can just open the PDF and it will You know convert it to Word document and you can do all the editing you need and And just remember that Anyway, although people look at the tend to look at the paper They will have to scan the boarding the barcode anyway, so it should match the information that you have on the paper So now let's get some fun. Actually, you know, just getting to the airport is not much. So How about accessing lounges so with contract lounges There's basically it's it's almost too easy, right because they have no way to access this private information So they have no way to look up the passenger records. So, you know, they will gladly buy whatever you present Just a bit of advice it needs to be based on the travel class because if you present the Gold card will be asked for the physical gold card. Also your data will be written down and Actually, even if you have the the card, but it's for example, the status expired or something They actually have a way to look it up online So there is apparently a system when you can look up the The status card status and if it's valid and so on So a bit trickier it should be with for the airline operated lounges, right? because they and they are the airlines they have access to passenger data, so they should be able to verify the status and There is at least one airline which attempts to do it. It's Scandinavian Airlines They also have these lounges which are they will let you in with automatic gates So I thought this is easy and I traveled through Copenhagen very often So it gives you a lot of opportunities for trial and error and then Yeah, they actually do and They seem to do the checks on the reservation system. So whenever I tried to fiddle with like booking class It would Or my status It would just bounce me with a it would always bounce with the same message like depart departure airport is Not not right or something like that So no a bit vague But you know after it did So five times I figured like it must have it must be just one message for you know all kinds of errors So anyway, they do some checking except You know, there's another there's a lot of other allies which passengers of which are also eligible to use the lounge like SAS is in star alliance and This is about you know 15 or 20 other allies which are on star alliance And when you are traveling on another carrier with within the same alliance and you are traveling on business You can still get into the lounge and guess what not all airlines use the same reservation system So all you need is to find a flight which is departing, you know in a reasonable time frame operated by another carrier Hopefully that one that uses another reservation system, but it shouldn't be necessary and produce a fake boarding pass for that carrier And guess what it worked Right, so I just used Brussels airlines which uses totally different reservation system and I put up information in a boarding pass from that For that flight and it let me in Also, there's some allies which don't do it properly Specifically this one. It's a it's the best airline in the world According to many people One in Istanbul and it's operated by Turkish Airlines and I thought like this is going to be hard because It's really 99% flights are operated by Turkish From that airport on star alliance. So there are very few flights which are star alliance, but not Turkish So what am I going to do? Well? Let's first try if they will let me in with, you know, just a random Turkish flight data so They just looked up, you know on the departure board I looked up a random flight from Istanbul to London get week. I like to use the name of Bartholomew Simpson He was a good pranker prankster. Yeah, the date needs to match and I need to warn you I had the camera hidden in plain sight so It was dangling from my shoulder back So this is the automatic gates. No need to talk to the dragon lady. And by the way, this is a full-sized cinema Inside the lounge and Yeah You don't need to be traveling like I said, you can do the same to enter the airport You will still go through security screening. So they will take all your liquids, but No need to worries here And you know after wired Did an article on this and they actually published this video I got, you know, lots of requests by the way This one is from Israeli lawyer Like what's wrong with Israeli lawyers? Really are they paid so bad that they can't afford lounge access? One other nice thing is You have duty-free shops at the airports, right? And again, you don't need to be traveling and in many countries It's not like in the US so you don't get your sealed back in the passenger seat. You just get it to go and The eligibility for Tax-free prices is depend is is determined on whether you are traveling inside the EU or outside the EU So if it's inside EU, it's domestic prices. So Including tax and if you're traveling outside EU you get this tax-free price and Here's the difference So to convert it to you, it's one liter. I have no idea what it is in US but it's about 25 shots and 20 and then 25 lot is is about seven dollars So I think it's a good deal So what do we get? It's Airport access so we can meet and greet your loved ones do some sightseeing fast-track free lunch and boost duty-free shopping Okay, let's let's get to some serious stuff like how can it be prevented and What is actually done to prevent it? So Ayata has a nice section in I think it's 80 pages or so document They have this half a page section on fraud prevention Which nicely identifies the risks associated with boarding by a BCBP and so it can be modified it can be forged it can be duplicated and Pretty much all the mitigation they came up with is check that the passenger is on the passenger name list and Add a certificate and like I said by certificate. They really mean the digital signature So let's see how the digital signature is doing So it was introduced in 2009 by version 3 of the standard and It's based on PKI and a one thing about PKI is it needs to be deployed properly, right? So you need to distribute the the public keys So it would have to be there, you know at every checkpoint You would have to maintain the CRLs Etc. Etc. And also many allies would still use version one which does not support Digital signatures so all the readers also need to support these old versions and Again, this field is optional and this is quotation from the document optional and to be used only when required by the local security Administration, so it's not even encouraged like it's it's only to be used when it's required the specific algorithm is determined by the authority and This was enforced by TSA to US carriers, but not entirely For example when I was traveling here I had my boarding card produced in Amsterdam and it was printed neatly on the United Paper But it had no digital signature. I will come to that There's another thing which could be used which is a standard called BCBP XML This is for transporting data between checkpoints and the airline systems So it's just the again. It's just the data format Which is standardized by Ayata and It could be used to check the PNR data against the reservation systems with no private private information getting transferred so you just You just send up whatever you scan from PNR and the airline would come up with the zero or one So good to go or not good to go possibly with an explanation if it's not good to go with the reason The problem again is the complexity Many airports are serving like more than 200 airlines and they would have to connect to each of their reservation systems right and if they don't connect to 10 out of 200 you still have a way to produce a fake boarding pass pretty much if you don't cover 100% You still get a loophole, right? So just the complexity of the solution Probably is the reason why it doesn't really work and I haven't seen it deployed anywhere And there's also one thing that PSA seems to be doing right at least starting from 2013 So secure flight is a program that they've implemented in in 2009 And the reason for for the program was to take over the Monitoring of watch lists so the no fly lists and Secondary screening lists from the airlines to the TSA authorities So instead of relying on airlines They said like no no no we need this information and we will do the verification like Also part of the secure flight is the TSA pre-check program introduced in 2011 so you get this nice BCBP Field specifically for this reason which is called select the indicator which tells you whether you are Like Selected for the secondary screening or whether you're eligible for pre-check or whether you're just traveling as usual and In 2013 TSA started networking their devices the scanning devices to pull passenger data from this secure flight That includes passengers full-name gender date of birth screening status reservation number flight it in a row So it can be verified if it's deployed at all the airports. I'm not sure about that. It can be verified at the screening checkpoint and If it doesn't match exactly, you know, they have like a nice list of Suggestions like this this passengers name is close enough You know, maybe this it's one of these So technically they have a way to do it now again whether it's deployed properly and how many airports support it I'm not sure it just started in 2013 and Generally, it's a it's a correct way to do it probably and okay. Why is Defcon awesome? I thought I had my presentation, you know all fixed and done and then on I think it was Tuesday or Wednesday I get contacted by a Carl Kosher saying like hey, I saw your talk on the agenda and Here's something that I got from eBay and maybe you want to play with that and that something was This beauty So it's a it's a device that you're normally not allowed to buy I think So this information is from the public website, so you get you know this level of specification But it would only be sold to like a limited number of parties and This this offer is no longer on eBay. Unfortunately. It was I think $160 so Not a big deal so I had like two days to play with that and I exchanged a couple of messages with Carl and Here's how it works So you see the booting? You see airport is dash dash dash? Yeah, because departure airport is not configured so it's you know, we have some constraints So let's try scanning any random boarding pass so Now when you go with the any random old boarding pass likely the departure airport is not dash dash dash It's something else and the date is probably not the same as on the boarding pass on the scanner Sorry, but it will have a valid signature. Let's see what it does So it says invalid departure location refer to counter So it did not complain about the signature, but it did complain about the departure airport so Okay, so let's fix the departure airport. Ah Sorry again This time with audio so three beeps not good to go red light But all it says is in very departure location now you see me using my mobile phone. I Okay, so now the departure location was okay date was okay, but the signature is invalid and It says refer to superior So I don't know if you notice, but it actually said that the Yeah, that a sick is not there So it should go from some manual checking The problem I see here is it still gives you a green light and you know one beep. So depending, you know how vigilant The the TSA agent is and how much noise to radio he has he has you know a good chance missing this So, yeah, let's try modifying the select the indicator So three beeps green light and you see the LLL So you are legible for pre-check or if you fancy you can actually go for secondary screen SSS Okay, so Airport access is confirmed fast-track is confirmed Philanches bulls is confirmed duty free shopping is confirmed pre-check I'm not sure right Nice idea to play with if you have balls So Now about responsible disclosure I actually went out and I tried to talk about this problem to several authorities and airports and allies because it's their problem eventually and This is what I what came back. So first I contacted a lot polish allies They say like now it's we just issue boarding passes and it's the airport that verifies it So I went to the airports and in these two cases I was lucky because I actually had you know known people on the management board at the management board level so I was able to talk to them in person and I and Airport authority said like yeah, it's a known issue, but it's not really a problem We're you know, you're following any all the guidelines and laws. That's fine Then the civil aviation authority like they took them three or four months to reply they said All they had to say was like boarding pass for jury is a crime. Don't do it It's like okay according to my lawyer Not exactly my lawyer by the lawyer. I know is a If you if you want to have a legitimate Document you need to have a way to verify it. It's not a document if you cannot verify it It doesn't bear any, you know signature at all They say like oh, it's not the exact wording they use but it was pretty much the message, right? and This is also what what I got from Turkish Airlines and SAS so I You know comment here And the question you might have is like would it actually get me flying? And at the short answer would be no Like that there would be very rare circumstances when you would be able to get on the plane But you would be likely spotted before it even departs and it would get you into a lot of trouble So I don't recommend doing that But you can still have a nice souvenir That's a kind of a bonus so one of the airports in Europe And I will not name them because they actually had a you know They communicated very openly with me and they said like why why it is they confirmed this because privacy They decided to have like loyalty program for the passenger Which makes sense because the airport collects fees on every departing passengers so they want to encourage traffic So they have this you know a list of gadgets that you can get For a certain number of points and the points you get for every departing flights and to register a departing flight You need to scan your loyalty card and your boarding pass Like what can go wrong, right? So here's a simple equation So I really liked the blanket in the middle It would cost me 600 points, which is six flights and you see five QR codes because I had you know one legit flight nice, you know it was and The funny thing is that it was you know I even made it look that sort of legit because I produced the QR codes for the flights like over the next over the next two days and It could really fit into a story like I was flying to Edinburgh and then going back in three hours and I could make it So to wrap it up It's the privacy and complexity of the system which is preventing this exchange of data and You know most important point while US did a reasonably good job preventing that Other places actually lowered the bar for us, especially with introducing the The automatic gates So here are the sources and don't worry Because this is the link for the slides Most of that will also be on the conference DVD. So thank you. I don't think we have time for questions, but I hope you liked it